Re: [kernel-hardening] Re: [PATCH 9/9] mm: SLUB hardened usercopy support
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- To: Christoph Lameter <cl@xxxxxxxxx>
- Subject: Re: [kernel-hardening] Re: [PATCH 9/9] mm: SLUB hardened usercopy support
- From: Kees Cook <keescook@xxxxxxxxxxxx>
- Date: Fri, 8 Jul 2016 13:41:20 -0400
- Cc: Michael Ellerman <mpe@xxxxxxxxxxxxxx>, "kernel-hardening@xxxxxxxxxxxxxxxxxx" <kernel-hardening@xxxxxxxxxxxxxxxxxx>, Jan Kara <jack@xxxxxxx>, Catalin Marinas <catalin.marinas@xxxxxxx>, Will Deacon <will.deacon@xxxxxxx>, Linux-MM <linux-mm@xxxxxxxxx>, sparclinux <sparclinux@xxxxxxxxxxxxxxx>, linux-ia64@xxxxxxxxxxxxxxx, Andrea Arcangeli <aarcange@xxxxxxxxxx>, linux-arch <linux-arch@xxxxxxxxxxxxxxx>, "x86@xxxxxxxxxx" <x86@xxxxxxxxxx>, Russell King <linux@xxxxxxxxxxxxxxx>, PaX Team <pageexec@xxxxxxxxxxx>, Borislav Petkov <bp@xxxxxxx>, Mathias Krause <minipli@xxxxxxxxxxxxxx>, Fenghua Yu <fenghua.yu@xxxxxxxxx>, Rik van Riel <riel@xxxxxxxxxx>, David Rientjes <rientjes@xxxxxxxxxx>, Tony Luck <tony.luck@xxxxxxxxx>, Andy Lutomirski <luto@xxxxxxxxxx>, Joonsoo Kim <iamjoonsoo.kim@xxxxxxx>, Dmitry Vyukov <dvyukov@xxxxxxxxxx>, Laura Abbott <labbott@xxxxxxxxxxxxxxxxx>, Brad Spengler <spender@xxxxxxxxxxxxxx>, Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx>, LKML <linux-kernel@xxxxxxxxxxxxxxx>, Pekka Enberg <penberg@xxxxxxxxxx>, Case y Schauf ler <casey@xxxxxxxxxxxxxxxx>, Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>, "linuxppc-dev@xxxxxxxxxxxxxxxx" <linuxppc-dev@xxxxxxxxxxxxxxxx>, "David S. Miller" <davem@xxxxxxxxxxxxx>, "linux-arm-kernel@xxxxxxxxxxxxxxxxxxx" <linux-arm-kernel@xxxxxxxxxxxxxxxxxxx>
- In-reply-to: <alpine.DEB.2.20.1607081119170.6192@east.gentwo.org>
- List-id: <linux-ia64.vger.kernel.org>
- References: <577f7e55.4668420a.84f17.5cb9SMTPIN_ADDED_MISSING@mx.google.com> <alpine.DEB.2.20.1607080844370.3379@east.gentwo.org> <CAGXu5jKE=h32tHVLsDeaPN1GfC+BB3YbFvC+5TE5TK1oR-xU3A@mail.gmail.com> <alpine.DEB.2.20.1607081119170.6192@east.gentwo.org>
On Fri, Jul 8, 2016 at 12:20 PM, Christoph Lameter <cl@xxxxxxxxx> wrote:
> On Fri, 8 Jul 2016, Kees Cook wrote:
>
>> Is check_valid_pointer() making sure the pointer is within the usable
>> size? It seemed like it was checking that it was within the slub
>> object (checks against s->size, wants it above base after moving
>> pointer to include redzone, etc).
>
> check_valid_pointer verifies that a pointer is pointing to the start of an
> object. It is used to verify the internal points that SLUB used and
> should not be modified to do anything different.
Yup, no worries -- I won't touch it. :) I just wanted to verify my
understanding.
And after playing a bit more, I see that the only thing to the left is
padding and redzone. SLUB layout, from what I saw:
offset: what's there
-------
start: padding, redzone
red_left_pad: object itself
inuse: rest of metadata
size: start of next slub object
(and object_size == inuse - red_left_pad)
i.e. a pointer must be between red_left_pad and inuse, which is the
same as pointer - ref_left_pad being less than object_size.
So, as found already, the position in the usercopy check needs to be
bumped down by red_left_pad, which is what Michael's fix does, so I'll
include it in the next version.
Thanks!
-Kees
--
Kees Cook
Chrome OS & Brillo Security
--
To unsubscribe from this list: send the line "unsubscribe linux-ia64" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
[Index of Archives]
[Linux Kernel]
[Sparc Linux]
[DCCP]
[Linux ARM]
[Yosemite News]
[Linux SCSI]
[Linux x86_64]
[Linux for Ham Radio]